The Disconnected State of Enterprise Risk Management
Imagine yourself at the symphony. Imagine the conductor facing the orchestra, his pointer poised to count off the first bar. Imagine the anticipation gripping the audience.
As the conductor’s hand rises and falls, you hear the magnificent opening, instruments playing in unison, the passion and precision of their execution, the powerful melody filling the chamber, moving you to respond, enthralling the audience in its power and grandeur.
Suddenly, you realize that something is terribly wrong. Shocked, you see that nearly half the orchestra isn’t playing! They’re just… sitting around, looking bored. Some are on their phones. Some are reading books. Others are fiddling with their instruments but not making a sound.
You’re baffled. You look at the conductor for a clue. Has he noticed? Is he going to do something? This cannot continue, can it? You scan the audience and realize they’re going along with the act, seemingly oblivious.
The orchestra continues to play, the missing parts now obvious to anyone — or at least they should be. You’re no longer at a concert, you think. This must be some type of postmodern performance, one of those “meta” things you’ve heard of but still struggle to truly understand. Maybe the Matrix has finally glitched. You desperately search for an explanation, genuinely wondering if you’re at a mass hypnosis — or psychosis — event.
The audience stays with it. The only things keeping you from jumping to your feet and screaming at the top of your lungs, “Half the orchestra isn’t playing!” are your manners and a sense of decorum. Finally, the “music” stops.
As the surprisingly thunderous applause dies down, the conductor bows again and announces: “As always, the remaining wind, percussion and string sections will be played next month. We look forward to seeing you all there.”
As he turns to cue up the next piece, you start to seriously lose it. This is all supposed to be played together! You look across the audience and see no reaction. Do they think this is normal?
The sense of utter confusion and discontent you’d be feeling is exactly how you should feel about the state of enterprise risk management: Security plays in front of a live audience, while compliance mails in their parts weeks, months or even years after, with the audience — the risk practitioners and leaders — asked to “put it together themselves” if they want to hear the actual concert.
The strangest part? The audience keeps buying tickets and showing up, completely content to hear half the music live and wait for the other half to show up sometime later.
The cybersecurity industry has simply accepted the framing that compliance looks at the past, security operates in the present, and threat intelligence attempts to predict the future. This, of course, is a fallacy that should be treated with about as much contempt as the idea of hearing a concert in individual instrument sections across many dates that are months apart.
Compliance, with its myriad frameworks, standards and mandates, remains the primary means by which we assess and maintain the risk posture of our national, defense and private sector entities. Compliance is how we gauge our resilience, determine shortcomings and prioritize mitigation efforts to resolve them. Compliance, ostensibly, is how we determine where to point our limited security resources in the form of controls to ensure protection against threats.
And yet, while the threats occur in real time, our compliance efforts remain relegated to a historical reporting function, capturing our prior state at best or, worse yet, someone’s subjective opinion of an organization’s security posture. After all, most compliance programs today are best characterized as “opinion farming at scale,” built on surveys or manual assessments of controls by human analysts, who in turn depend on the cooperation and information of countless system owners.
No matter how high you stack those opinions, they don’t turn into facts. Even if you could ensure their fidelity — a tall ask, to be sure — the manual data collection and analysis workflows inherent in these legacy programs would still induce a significant delay in reporting any control failures quickly enough to be addressed before they could be exploited.
You must be asking by now: What is the point of compliance if all we’re doing is capturing past state while pretending it’s a defense against future threats?
And for that question, we return to our concert chamber and the collective delusion occupying the audience.
It’s time to forget decorum. It’s time to stand up and shout: “That’s not how you play that!” It’s time for compliance to play in tune and in tempo with the entire orchestra: security, risk, threat intelligence and incident response. In fact, it’s long overdue.